Unusual Web Request

calendarMar 6, 2023  ·
Share on: linkedincopy

A machine learning job detected a rare and unusual URL that indicates unusual web browsing activity. This can be due to initial access, persistence, command-and-control, or exfiltration activity. For example, in a strategic web compromise or watering hole attack, when a trusted website is compromised to target a particular sector or organization, targeted users may receive emails with uncommon URLs for trusted websites. These URLs can be used to download and run a payload. When malware is already running, it may send requests to uncommon URLs on trusted websites the malware uses for command-and-control communication. When rare URLs are observed being requested for a local web server by a remote source, these can be due to web scanning, enumeration or attack traffic, or they can be due to bots and web scrapers which are part of common Internet background traffic.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/03/25"
 3maturity = "production"
 4min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 5min_stack_version = "8.3.0"
 6updated_date = "2023/03/06"
 7
 8[rule]
 9anomaly_threshold = 50
10author = ["Elastic"]
11description = """
12A machine learning job detected a rare and unusual URL that indicates unusual web browsing activity. This can be due to
13initial access, persistence, command-and-control, or exfiltration activity. For example, in a strategic web compromise
14or watering hole attack, when a trusted website is compromised to target a particular sector or organization, targeted
15users may receive emails with uncommon URLs for trusted websites. These URLs can be used to download and run a payload.
16When malware is already running, it may send requests to uncommon URLs on trusted websites the malware uses for
17command-and-control communication. When rare URLs are observed being requested for a local web server by a remote
18source, these can be due to web scanning, enumeration or attack traffic, or they can be due to bots and web scrapers
19which are part of common Internet background traffic.
20"""
21false_positives = [
22    """
23    Web activity that occurs rarely in small quantities can trigger this alert. Possible examples are browsing technical
24    support or vendor URLs that are used very sparsely. A user who visits a new and unique web destination may trigger
25    this alert when the activity is sparse. Web applications that generate URLs unique to a transaction may trigger this
26    when they are used sparsely. Web domains can be excluded in cases such as these.
27    """,
28]
29from = "now-45m"
30interval = "15m"
31license = "Elastic License v2"
32machine_learning_job_id = "packetbeat_rare_urls"
33name = "Unusual Web Request"
34references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
35risk_score = 21
36rule_id = "91f02f01-969f-4167-8f55-07827ac3acc9"
37severity = "low"
38tags = ["Elastic", "Network", "Threat Detection", "ML", "Machine Learning", "Command and Control"]
39type = "machine_learning"
40
41[[rule.threat]]
42framework = "MITRE ATT&CK"
43[[rule.threat.technique]]
44id = "T1071"
45name = "Application Layer Protocol"
46reference = "https://attack.mitre.org/techniques/T1071/"
47
48
49    [[rule.threat.technique.subtechnique]]
50    id = "T1071.001"
51    name = "Web Protocols"
52    reference = "https://attack.mitre.org/techniques/T1071/001/"
53
54
55[rule.threat.tactic]
56id = "TA0011"
57name = "Command and Control"
58reference = "https://attack.mitre.org/tactics/TA0011/"

to-top